Asset Life Cycle

Acquisition
Acquisition of new assets that will use or maintain critical services or handle Level 1 and 2 data must be approved by the Information Security Office prior to purchase, to ensure that all potential security risks to the campus are identified, evaluated, and mitigated.
All such assets will undergo a risk assessment process in the following review areas:

General system/application information

Technical information

Data classification/handling

Vendor security practices

Application development practices

Contractual requirements

Regulatory compliance

All critical devices and applications and those handling Level 1 and 2 information (will special attention to servers and network equipment) must be registered with the Information Security Office upon acquisition.

Implementation

All assets must be deployed using Sacramento State standard image builds, as defined in the Configuration Management Standard.
All applicable assets, as defined by the Information Security Officer, must comply with the following standards:

Campus monitoring agent installed (KBox for workstations and laptops and Orion for servers.)

Assets that are considered high risk will be monitored by the KBOX agent or Orion server to ensure patch management compliance. These assets will be annually audited to ensure that the Information Security Office records are up to date.

Asset must run current anti-malware software.

Any exceptions to the use of malware protection under campus guidelines must be approved through the exception process noted under Section 2.0 of the Supplemental Information Security Policy.

Built off the Sacramento State standard campus image.

Any exceptions to the use of campus standard images must be approved through the exception process noted under Section 2.0 of the Supplemental Information Security Policy.

Assets that access Level 1 or Level 2 data must be registered with the Information Security Office.

Encryption
When encryption is required by the ISO to protect campus information systems, data, or network resources, the following minimum requirements must be met:

Strong cryptography (e.g., Triple-DES, AES, etc.,) must be used. The cryptography must be certified by NIST or a similar organization.

Documented procedures and responsibilities for key management:

Key rotation

Key storage

Key selection

Key escrow

Key handling

Key recovery

Data Encryption

Encryption of Level 1 data in storage or prior to transmission may be required, to prevent the possibility of compromise, interception or misrouting.

Data Availability

Records subject to the disclosure under the California Public Records Act or required to be accessible for defined periods of time in compliance with CSU records disposition schedules shall be available to appropriate University officials at all times. Other information that may be required to conduct the University’s business shall also be available when needed. Therefore, at least one copy (the authoritative copy) of any such information shall be stored in a known location in unencrypted form, or if encrypted, the means to decrypt it must be available to more than one person.

Patch management

All applicable assets must be maintained by an approved patch management process that ensures routine identification, evaluation, application and verification of software patches. All devices must regularly check for patch updates to ensure the asset is properly secured.

Vulnerability Management

All campus assets must be made available to regular vulnerability scans. No device may be configured in such a way as to prohibit campus-wide vulnerability scanning, unless a written exception is provided by the ISO.

Asset Definitions

Critical Asset - Defined as any system or device that meets the security category of Critical in section 8045.100 Security of Servers and Network Attached Devices of the Supplemental Information Security Policy.Workstations, laptops, and Servers – Defined as any state or auxiliary owned computer that is used to support the mission of the university. These assets must meet the following areas in order to comply with the asset standard.Network Infrastructure Devices – Defined as any state or auxiliary owned devices that are used to connect, support or provide network or telecommunication services.Removable Media – Defined as any state or auxiliary owned media that are use to facilitate a business need to transport or store electronic data. Examples are CD’s, DVD’s, Flash Drives, portable hard drive, backup tapes or any device that can be transported from one workstation to another.End User Devices – Defined as any state or auxiliary owned devices that are assigned directly to a faulty or staff to conduct business functions. These devices are defined as smart phones (iPhone, Black Berry Etc.) or Personal Data Devices (Palm, iPad, Etc.).Physical Assets – Defined as any state or auxiliary owned non electronic documents that contain Level 1 or Level 2 data. Vulnerable assets – Defined as any device owned or not owned that exhibit elevated vulnerabilities, risk of compromise or have been compromised.Network Attached Device - Defined as any device owned or not owned by the state or auxiliary that connects to the university network.Data Center
Defined as a physically secured location that has the following security controls:

Alarms (notification to Public Safety)

Backup Generator

Enterprise class Uninterruptible Power Supplies (UPS)

Fire Extinguishing System

Dedicated HVAC System with Generator backup

Monitored Access Control (velocity)

Video surveillance (accessible by Public Safety)

1*

Server Room
Defined as a physically secured location that has the following security controls and requirements:

Does NOT contain Confidential or Level 1 Data

Access limited to key personnel

Dedicated HVAC System

Network Telecommunication Closet
Defined as a physically secured location containing network infrastructure devices that has the following security controls: